Why should a data breach investigation be conducted through outside counsel?

Retaining outside counsel to direct the breach investigation — and having forensic investigators engaged by and reporting to counsel — is the most important structural decision in the first hour of a breach response. The reason is attorney-client privilege. Communications between the business and its attorney about the breach are protected from disclosure in subsequent litigation and regulatory proceedings. The forensic investigation report, prepared at counsel's direction in anticipation of litigation, may also be protected as attorney work product. If the forensic investigation is conducted internally, or by a third-party vendor retained directly by the business rather than through counsel, the investigation documents are not privileged — they are potentially discoverable by plaintiffs' attorneys in any resulting lawsuit and by regulators in any investigation. This distinction is not academic: a forensic report documenting the root cause of a breach, the scope of compromised data, and the security failures that allowed it to happen is exactly the document that drives liability in breach litigation. Keeping it privileged is a foundational response decision.

Litigation · IP June 30, 2026 10 min read

Data breach response: the first 72 hours.

Q: What is Texas law on data breach notification?

Texas data breach notification requirements are governed by the Texas Identity Theft Enforcement and Protection Act (Texas Business and Commerce Code Chapter 521) and, effective January 2024, the Texas Data Privacy and Security Act (TDPSA). Under Chapter 521, a business that owns or licenses computerized data containing sensitive personal information must notify affected Texas residents 'as expeditiously as possible' after discovering or reasonably believing that a breach has occurred — no later than 60 days after the determination that a breach occurred. 'Sensitive personal information' under Texas law includes: an individual's first name or initial and last name in combination with their Social Security number, driver's license or state ID number, or financial account number with access codes; and certain health information. Texas also requires notification to the Texas Attorney General when a breach affects 250 or more Texas residents, within the same 60-day window. The Texas Data Privacy and Security Act, effective January 2024, imposes additional obligations on businesses that process the personal data of Texas consumers above certain thresholds, including data protection assessments, privacy notice requirements, and consumer rights obligations.

Q: What federal laws apply to data breaches in Texas businesses?

Federal breach notification obligations depend on the industry and type of data involved. HIPAA (Health Insurance Portability and Accountability Act) requires covered entities and business associates to notify affected individuals within 60 days of discovering a breach of protected health information, notify HHS, and — for breaches affecting 500 or more residents of a state — notify prominent media in that state. The FTC's Health Breach Notification Rule extends similar obligations to health apps and certain non-HIPAA health technology companies. The Gramm-Leach-Bliley Act (GLBA) imposes breach response obligations on financial institutions under the FTC's Safeguards Rule, including notification to the FTC within 30 days for breaches affecting 500 or more customers. FERPA applies to educational institutions handling student records. PCI DSS (Payment Card Industry Data Security Standard) is a contractual obligation between merchants and card networks — not a federal law — but imposes its own breach response requirements including immediate notification to the acquiring bank and card brands. The intersection of federal and state notification obligations often creates multiple simultaneous deadlines running in different directions.

Q: Does a Texas business need a written incident response plan?

There is no Texas statute that expressly requires all businesses to have a written incident response plan. However, several federal frameworks impose written plan requirements on specific industries (HIPAA requires covered entities to have documented incident response procedures; the GLBA Safeguards Rule requires a written information security program including incident response). More practically, in any litigation or regulatory proceeding following a breach, the absence of a written incident response plan is evidence of inadequate data security practices — and the adequacy of security practices is often central to the liability question. A written incident response plan that was actually followed also demonstrates due care, which is a defense. The plan doesn't need to be complex: it should identify the response team and their roles, the steps for detecting and containing a breach, the process for engaging counsel and forensic investigators, the notification obligations and timelines, and the chain of communication for internal escalation and external disclosure. A plan on paper that no one has read is worth little. A plan that has been tested and rehearsed is worth considerably more.

Q: What personal information triggers Texas breach notification?

Under Texas Business and Commerce Code Chapter 521, 'sensitive personal information' that triggers notification obligations includes: an individual's first name or first initial and last name in combination with their unencrypted Social Security number; driver's license or Texas state ID number; account number, credit or debit card number in combination with any required access code, security code, or password; and certain health information including medical records, health insurance information, or mental health records. The combination requirement is important: a list of names alone does not trigger notification. A list of names with Social Security numbers does. 'Breach' means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of the sensitive personal information. The obligation is triggered when the business determines a breach has occurred — or when the business reasonably believes a breach has occurred, which creates an obligation to investigate with appropriate urgency.

Q: What happens if a Texas business fails to notify after a data breach?

Failure to provide required breach notification under Texas Business and Commerce Code Chapter 521 exposes the business to civil penalties enforced by the Texas Attorney General. Violations can result in civil penalties of up to $100 per individual who was not notified, up to a maximum of $250,000 per breach, for violations without intent. Intentional violations carry a maximum of $500,000 per breach. Texas also allows the Attorney General to seek injunctive relief. Beyond state penalties, failure to notify can be evidence of negligence in private lawsuits filed by affected individuals and can trigger regulatory scrutiny from federal agencies if the breach involved federally regulated data (HIPAA, GLBA). The regulatory exposure from a failure to notify is typically worse than the notification itself — notified individuals generally have a limited window to demonstrate actual harm, while a cover-up or delayed disclosure significantly increases both regulatory exposure and the sympathetic posture plaintiffs enjoy in litigation.

Q: What should a breach notification letter actually say?

Texas law requires that breach notification letters contain: a description of what happened; a description of the type of personal information that was involved; steps the business has taken to protect individuals from potential harm; steps the affected individual can take to protect themselves; contact information for the business; and, where applicable, contact information for major credit bureaus. The notification letter is a legal document as much as a communication — its content is reviewed by plaintiff's attorneys in any resulting litigation and by regulators in any investigation. Common mistakes: vague language that creates ambiguity about the scope of the breach; admissions about the root cause or security failures that go beyond what is required; and commitments about remediation steps that exceed what the business has actually implemented. The letter should be reviewed by counsel before it is sent. The goal is to inform affected individuals of what they need to protect themselves while avoiding unnecessary admissions that expand liability exposure.

Q: What is cyber liability insurance and does my Texas business need it?

Cyber liability insurance covers the costs associated with a data breach or cyberattack — including forensic investigation, notification costs, credit monitoring for affected individuals, public relations and crisis communications, regulatory defense, and third-party liability for claims from individuals whose data was compromised. First-party coverage pays your own costs; third-party coverage pays claims made against you by others. Most standard commercial general liability (CGL) policies do not cover cyber incidents — cyber coverage must be added separately. The policy terms that matter: whether the policy requires the insurer's pre-approval before retaining forensic investigators or counsel (some do, and failure to get pre-approval can void coverage); the sublimits that apply to specific categories like regulatory defense versus notification costs; whether ransomware payments are covered (some policies explicitly exclude them); and the retroactive date that determines whether incidents from prior periods are covered. For any Texas business that stores customer data, handles employee records, or processes payment information, cyber liability insurance is not optional — it is the mechanism by which a breach that might cost $200,000–$500,000 becomes a manageable expense rather than an existential one.

A breach is a legal event before it is a public one. The decisions made in the first three days — what to preserve, who to call, and what not to say — determine whether the incident stays contained or becomes a multi-year liability. Here is the sequence, the deadlines, and the structural choice that most businesses get wrong.

Practice areas this article routes to

Litigation IP · Data

If you read nothing else

The most important decision in a breach response has nothing to do with notification or remediation. It is this: retain outside counsel first, and have counsel engage the forensic investigators. Communications between you and your attorney are privileged. The forensic report — documenting how the breach happened, what was taken, and what security failures allowed it — may be protected as attorney work product. The same report prepared without a counsel-directed structure is discoverable by every plaintiff's attorney who files suit. That document drives liability. Keeping it privileged is a structural choice made in the first hour, and it cannot be undone after the fact.

Call Chuck Kraus: (682) 529-7177

I've been inside organizations when the call comes in. "We think we had a breach." The next sentence is almost always the wrong one — either someone starts talking to the IT vendor about what happened, or someone drafts a customer email, or someone calls the insurance company without reading the policy. Each of those actions, taken before counsel is engaged, can cost more than the breach itself.

A data breach creates simultaneous obligations running in different directions: legal holds, regulatory notifications, contractual obligations to business partners, insurance notice requirements, and potential civil liability to affected individuals. None of them can be managed reactively. The businesses that get through a breach with minimum liability are the ones that treated it as a legal event from the moment of discovery — not a technology problem or a communications problem that legal would eventually review.

What follows is the sequence: what happens at each stage, what the legal obligations are, and what the structural decisions are that can't be revisited once made.

The response clock

Breach response has three distinct time bands. Each has its own obligations, its own cost drivers, and its own decision points. The terracotta dots mark items with specific legal consequences if missed. The brass dots mark operationally critical actions that aren't legally mandated but determine the trajectory of the response.

Legend Legal obligation — specific consequences if missed Operationally critical — shapes the trajectory

First 4 Hours Contain, preserve, and make the structural choice

Call outside counsel — before any other vendor

This is the sequence decision. Counsel engaged first means the investigation can be structured to protect privilege. Counsel engaged after the IT team has already started the forensic work means that work is not privileged. Do not brief your internal team broadly, do not notify your IT vendor, do not call your insurance company, and do not draft any customer communication before counsel is on the phone.

Issue a litigation hold

A written instruction to preserve all documents, communications, logs, and system records related to the incident. Issued the moment litigation is reasonably anticipated — which is at discovery, not after notification. Destruction of evidence after a litigation hold should have been issued is spoliation. Courts treat it severely in subsequent proceedings.

Contain the incident — without destroying evidence

The IT team's instinct is to wipe and rebuild affected systems. In a breach response, that instinct is wrong: those systems contain the forensic evidence that establishes scope, root cause, and attribution. Containment means isolating affected systems from the network without wiping them, preserving logs, and capturing volatile memory where possible. Forensic investigators retained through counsel will direct this process.

Notify your cyber liability insurer

Most cyber policies have prompt notice requirements — some as short as 24–72 hours. Late notice can void coverage. Locate your policy before a breach happens; know the notice deadline and the notification mechanism. The insurer may have pre-approved vendors for forensics and counsel, and using unapproved vendors can affect coverage.

Hours 4 – 72 Investigate scope, assess obligations, manage the circle

Engage forensic investigators through counsel

The forensic team's engagement letter should run to counsel, not directly to the business. They report to counsel. Their findings are communicated through counsel. This structure is what makes their report potentially privileged as attorney work product. The forensic report is the document that most directly drives liability in breach litigation — it documents exactly what happened, what data was compromised, and what security failures enabled the breach.

Assess the scope of affected data — systematically

What type of data was accessed or exfiltrated? Names alone don't trigger notification. Names combined with Social Security numbers, financial account numbers with access codes, or health information do — under Texas law. Names with driver's license numbers do. The scope assessment determines which notification obligations apply, to how many individuals, and under which laws.

Identify which notification laws apply

Texas Chapter 521 governs notification to Texas residents. HIPAA governs if health data is involved. GLBA Safeguards Rule governs if financial institution data is involved. PCI DSS contractual obligations apply if cardholder data is compromised. Multiple obligations may run simultaneously with different deadlines. The notification obligation analysis is a legal determination, not an IT one — it requires counsel.

Manage the internal circle — tightly

Every person briefed on the breach is a potential witness. Internal communications about the breach that are not directed through counsel are not privileged and are discoverable. Brief only those who need to know — the incident response team and the relevant executives. All substantive communications about the breach should go through counsel. Slack messages, emails, and texts describing what happened, who knew, and when are evidence.

Review contracts with affected third parties

If the breached data includes customer data, vendor data, or data processed under a service agreement, those contracts likely contain breach notification provisions — some with deadlines as short as 24–72 hours for business-to-business notification. Contractual notification obligations can be shorter than statutory ones. Breach of a contractual notification deadline is itself a breach of contract claim.

Day 3 – 60 Notify, remediate, and document the response

Send breach notification to affected individuals

Texas Chapter 521 requires notification "as expeditiously as possible" and no later than 60 days after determining a breach occurred. The notification letter must include: what happened, what type of data was involved, steps taken to protect individuals, steps individuals can take to protect themselves, and contact information. The letter is reviewed by counsel before it is sent. Unnecessary admissions in a notification letter expand liability exposure.

Notify the Texas Attorney General if 250+ residents are affected

Texas Business and Commerce Code §521.053 requires notification to the Texas AG when a breach affects 250 or more Texas residents, within the same 60-day window. The AG notification must be made simultaneously with, or before, the individual notifications. This filing is public record. Failure to notify carries civil penalties of up to $100 per affected individual, up to $250,000 per breach for unintentional violations.

Remediate — with documentation

Every remediation step taken — patching vulnerabilities, resetting credentials, implementing new controls — should be documented in writing, dated accurately, and retained. In subsequent litigation or regulatory review, the question of what the business did after the breach is as important as what the business did before it. Remediation without documentation looks like remediation never happened.

Prepare for litigation and regulatory inquiry

A breach affecting a meaningful number of individuals typically generates demand letters or class action filings within 30–90 days of notification. Regulatory inquiries from the Texas AG, the FTC, or sector-specific regulators can follow. The litigation hold, the counsel-directed forensic investigation, and the documented remediation are the foundation of the defense. Businesses that treated the response as a communications problem rather than a legal one arrive at this stage without that foundation.

Notification obligations by law

Multiple notification regimes often apply to the same breach simultaneously, each with its own trigger, deadline, and required recipient. The matrix below shows the most common frameworks affecting Texas businesses.

Notification requirements

Primary frameworks affecting Texas businesses

Law / Framework

Trigger

Deadline

Who must be notified

Texas Chapter 521

Unauthorized access to sensitive personal information of TX residents

60 days from determination

Affected individuals; TX AG if 250+ residents

HIPAA Breach Rule

Breach of unsecured protected health information

60 days (individuals + HHS); immediate media notice if 500+ in a state

Affected individuals; HHS; media if 500+ in a state

GLBA Safeguards Rule

Unauthorized access to customer financial information

30 days for FTC notice if 500+ customers

FTC; affected customers as soon as reasonably practicable

PCI DSS

Compromise of cardholder data environment

Immediate — typically within 24 hours of discovery

Acquiring bank; card brands (Visa, Mastercard, etc.)

Contractual obligations

Breach affecting data processed under a vendor or service agreement

Per contract — often 24–72 hours

Counterparty named in the agreement

The mistake that defines the response

Most breach response failures trace back to a single decision made in the first hour: the business treats the breach as an IT problem and calls the IT team before calling an attorney. The IT team calls a forensic vendor. The forensic vendor begins its investigation. By the time counsel is engaged, the investigation is underway — and the forensic report is not privileged.

The forensic report is the document that tells the story of the breach. It identifies the attack vector, the duration of the intrusion, the data accessed, and the security controls that failed to prevent it. That story is what plaintiff's attorneys use to build a negligence case and what regulators use to assess penalties. A privileged forensic report can be withheld in litigation. An unprivileged one cannot.

A breach is a legal event before it is a technology event. The first call determines whether the response is protected or exposed.

The practical implication: your incident response plan — which every business handling customer data should have, and which most don't — should identify outside counsel as the first call, above the IT vendor, above the insurer, above the CEO's communications advisor. The sequence is not a technicality. It is the structural decision that determines whether the forensic investigation and the response documents live inside the attorney-client privilege or outside it.

Before the breach happens

Two investments made before a breach occurs determine whether the response is orderly or chaotic. Neither requires significant resources.

The first is a written incident response plan. It should name the response team — who is called first, in what order, and what each person's role is. It should identify outside counsel and the forensic vendor (engaged through counsel) before the incident, not during it. It should document the notification obligations that apply to your business based on the data you hold. And it should include the cyber insurance policy number and the insurer's breach notification contact. A business that discovers a breach at 11pm on a Friday and has to locate all of this information in real time will lose the first four hours to logistics rather than response.

The second is cyber liability insurance appropriately sized to the business's data exposure. A breach affecting several thousand customer records — routine in scale — can cost $150,000–$400,000 in notification, forensics, credit monitoring, and regulatory defense before a single civil claim is filed. That is not a cost most small and mid-sized Texas businesses can absorb from operations. Cyber coverage is the mechanism that makes a manageable incident out of one that would otherwise be existential.

How I help

The first call in a breach response should be to counsel. That call can be to me.

I've managed the legal side of data security incidents from the inside of organizations. I understand what the first hours require, which decisions cannot be revisited, and how to structure a response that protects the business rather than creating a documented record of its failures.

When a breach requires litigation defense or regulatory response, Scale LLP's litigation team handles it — including attorneys with experience in data privacy litigation in Texas state and federal courts. I stay involved on the business and strategy side, coordinating between forensics, regulatory counsel, and the operational team so that the response is coherent rather than reactive.

If you are in a breach right now: call. If you want to prepare before one happens: that is also a fifteen-minute conversation.

Schedule a Call

Going deeper

Questions I hear from Texas businesses about data breach obligations.

What is Texas law on data breach notification?

Texas breach notification requirements are governed by Texas Business and Commerce Code Chapter 521 and, effective January 2024, the Texas Data Privacy and Security Act (TDPSA). Chapter 521 requires notification to affected Texas residents "as expeditiously as possible" and no later than 60 days after determining a breach occurred. Sensitive personal information triggering notification includes names combined with Social Security numbers, driver's license or state ID numbers, financial account numbers with access codes, and certain health information. Texas requires notification to the Texas AG when 250 or more Texas residents are affected, within the same 60-day window. The TDPSA imposes additional obligations on businesses processing personal data above certain thresholds.

Why should a breach investigation be conducted through outside counsel?

Retaining outside counsel first — and having forensic investigators engaged by and reporting to counsel — protects the investigation under attorney-client privilege and potentially as attorney work product. The forensic report documenting root cause, scope, and security failures is exactly the document that drives liability in breach litigation and regulatory proceedings. If the investigation is conducted without a counsel-directed structure, those documents are not privileged and are discoverable by plaintiff's attorneys and regulators. This structural choice is made in the first hour and cannot be undone after the fact.

What federal laws apply to data breaches in Texas businesses?

Federal obligations depend on industry and data type. HIPAA requires covered entities to notify individuals within 60 days, HHS promptly, and media for breaches affecting 500+ state residents. The GLBA Safeguards Rule requires financial institutions to notify the FTC within 30 days for breaches affecting 500+ customers. PCI DSS — a contractual standard, not a federal law — requires immediate notification to acquiring banks and card brands. FERPA applies to educational institutions. Multiple frameworks often apply simultaneously with different deadlines; the shortest applicable deadline controls.

Does a Texas business need a written incident response plan?

No Texas statute expressly requires all businesses to have a written plan, but the absence of one is evidence of inadequate data security practices in any resulting litigation or regulatory proceeding — and the adequacy of security practices is often central to the liability question. Federal frameworks including HIPAA and the GLBA Safeguards Rule impose written plan requirements on specific industries. Practically, a plan that names outside counsel as the first call, identifies the forensic vendor engaged through counsel, documents applicable notification obligations, and lists the cyber insurance contact information converts the chaotic first four hours of a breach into an orderly response.

What personal information triggers Texas breach notification?

Under Texas Chapter 521, "sensitive personal information" triggering notification includes an individual's name in combination with their unencrypted Social Security number; driver's license or Texas state ID number; financial account number or credit/debit card number with any required access code; and certain health information. The combination requirement matters — a list of names alone does not trigger notification. A list of names with Social Security numbers does. The obligation is triggered when the business determines a breach occurred — or when it reasonably believes one occurred, creating an obligation to investigate with urgency.

What happens if a Texas business fails to notify after a data breach?

Failure to provide required notification under Texas Chapter 521 exposes the business to civil penalties enforced by the Texas AG — up to $100 per individual not notified, maximum $250,000 per breach for unintentional violations; up to $500,000 for intentional violations. The AG can also seek injunctive relief. Beyond state penalties, failure to notify is evidence of negligence in private lawsuits and can trigger scrutiny from federal regulators if federally regulated data was involved. The exposure from a cover-up or delayed disclosure is typically worse than the notification itself.

What should a breach notification letter actually say?

Texas law requires notification letters to include: what happened; the type of personal information involved; steps the business has taken to protect individuals from potential harm; steps individuals can take to protect themselves; and contact information for the business. The letter is a legal document — its content is reviewed by plaintiff's attorneys in any litigation and regulators in any investigation. Common mistakes: vague language creating ambiguity about breach scope; admissions about root cause or security failures beyond what is required; and commitments about remediation steps that exceed what has actually been implemented. The letter should be reviewed by counsel before it is sent.

What is cyber liability insurance and does my Texas business need it?

Cyber liability insurance covers breach-related costs including forensic investigation, notification, credit monitoring, regulatory defense, and third-party liability. Standard CGL policies do not cover cyber incidents — coverage must be added separately. Key policy terms: pre-approval requirements for retaining vendors (using unapproved vendors can affect coverage); sublimits for specific cost categories; ransomware payment coverage (some policies explicitly exclude it); and the retroactive date that determines whether prior incidents are covered. For any business storing customer data, handling employee records, or processing payments, cyber coverage is not optional — it is the mechanism that makes a $200,000–$500,000 breach event manageable rather than existential.

If you're in a breach right now:
call. Don't email.

Every hour of the first day matters. The decisions that protect the response are made before most businesses think to pick up the phone.

Schedule a Call (682) 529-7177

This article provides general information about data breach response obligations under Texas and federal law and is not legal advice for your specific situation. Breach notification requirements and applicable law depend on the type of data involved, the industries affected, and the specific circumstances of the incident. If you are experiencing a data security incident, contact an attorney immediately — do not rely solely on this article to determine your obligations. Chuck Kraus is licensed in Texas, Minnesota, Washington State, and Canada.